\clearpage
\subsection{Package Signatures}
%\addcontentsline{toc}{section}{Appendix B - Package Signatures}

All of the RPMs provided via the \OHPC{} repository are signed with a GPG
signature. By default, the underlying package managers will verify these signatures during
installation to ensure that packages have not been altered. The RPMs can also
be manually verified and the public signing key fingerprint for the latest
repository is shown below: \\

\texttt{Fingerprint: DD5D 8CAA CB57 364F FCC2  D3AE C468 07FF {\bf26CE 6884}} \\

\noindent The following command can be used to verify an RPM once it
has been downloaded locally by confirming if the package is signed, and if so,
indicating which key was used to sign it. The example below highlights usage
for a local copy of the \texttt{docs-ohpc} package and illustrates how the {\em
key ID} matches the fingerprint shown above.

\begin{lstlisting}[language=bash,keywords={}]
[sms](*\#*) rpm --checksig -v docs-ohpc-*.rpm
docs-ohpc-1.0-1.1.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 26ce6884: OK
    Header SHA1 digest: OK (c3873bf495c51d2ea6d3ef23ab88be105983c72c)
    V3 RSA/SHA256 Signature, key ID 26ce6884: OK
    MD5 digest: OK (43d067f33fb370e30a39789439ead238)
\end{lstlisting}



